Date: Wed, 04 Apr 2012 13:32:56 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: oss-security@...ts.openwall.com
CC: Jan Lieskovsky <jlieskov@...hat.com>,
"Steven M. Christey" <coley@...us.mitre.org>,
Tom Lane <tgl@...hat.com>, pgsql-jdbc@...tgresql.org,
Steffen Dettmer <steffen@...t.de>
Subject: Re: CVE DISPUTE notification: postgresql-jdbc: SQL
injection due improper escaping of JDBC statement parameters
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1
On 03/30/2012 06:28 AM, Jan Lieskovsky wrote:
> Hello Kurt, Steve, vendors,
>
> originally, the following deficiency has been reported by Steffen
> Dettmer: [1] http://seclists.org/bugtraq/2012/Mar/125
>
> A SQL injection flaw was found in the way postgresql-jdbc, a JDBC
> driver for PostgreSQL database, performed escaping of certain JDBC
> statement parameters. A remote attacker could provide a JDBC
> statement with specially-crafted parameters, which once processed
> by the postgresql-jdbc driver would lead to SQL injection.
>
> References: [2]
> http://lists.opensuse.org/opensuse-security/2012-03/msg00024.html
> [3] https://bugzilla.novell.com/show_bug.cgi?id=754273 [4]
> https://bugzilla.redhat.com/show_bug.cgi?id=807394
>
> Upon further issue investigation and discussion with Tom Lane of
> PostgreSQL upstream and JDBC driver upstream the following
> conclusion has been provided:
>
> The upstream development team of the JDBC driver for the
> PostgreSQL database does not consider improper escaping of certain
> JDBC statement / query parameters, when the JDBC driver of version
> older than the version of underlying PostgresSQL server is being
> used, to be a security defect. In general, the JDBC driver for the
> PostgreSQL database does not promise to work with server releases
> newer than the driver release.
Apologies for the delay, at first I agreed with the above, but then I
checked and I think it's a bit more nuanced than that.
First off: I agree this is not an issue in PostgreSQL upstream. This
issue only occurs with an ancient unsupported and obsolete version of
the JDBC driver when being used with a newer version of PostgreSQL.
However having stated that there is a security boundary violation
going on. Just because a software component is out of date or not
supported doesn't mean security bugs shouldn't at least be
acknowledged (software tends to live past its designed lifetime). Add
to this the fact that someone actually reported it we can state with
some certainty that it affected at least one person, ergo there is a
reasonable chance it may affect others.
So I checked the CVE database, we have 64 instances of "when used
with", some reasonable examples:
CVE-2009-4040,Candidate,"Cross-site scripting (XSS) vulnerability in
phpMyFAQ before 2.0.17 and 2.5.x before 2.5.2, when used with Internet
Explorer 6 or 7, allows remote attackers to inject arbitrary web
script or HTML via unspecified parameters to the search
page.","CONFIRM:http://www.phpmyfaq.de/advisory_2009-09-01.php
CVE-2008-2705,Candidate,"Unspecified vulnerability in Sun Java System
Access Manager (AM) 7.1, when used with certain versions and
configurations of Sun Directory Server Enterprise Edition (DSEE),
allows remote attackers to bypass authentication via unspecified
vectors.","SUNALERT:238416
So I think it's safe to say that we can (and should) assign CVE's
based on the unintended interactions of products (assigning a CVE
helps ensure that people are more likely to find out, security
scanners all love to pick up on CVE's, etc.). I'm going to assign a
CVE for this and suggest a description of (stolen directly from the
first bug report
(http://lists.opensuse.org/opensuse-security/2012-03/msg00024.html):
"When using PostgreSQL JDBC driver version 8.1 to connect to a
PostgreSQL version 9.1 database, escaping of JDBC statement parameters
does not work and SQL injection attacks are possible. It should be
noted that the PostgreSQL JDBC driver version 8.1 is officially
obsolete and should not be used."
Please use CVE-2012-1618 for this issue.
- --
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/
iQIcBAEBAgAGBQJPfKHoAAoJEBYNRVNeJnmT/u4QAI03PTYXs1ceSoMIZ1ORjj7x
vFTKfdOaXercFFonIrVzf4e54gCObUJgse3rdz6ONh59FkqDSDW1WISYhLi+pMAj
fLCng+vaB3ctiI6KurenKpy1fIWg9CsNTsx+9N2UG0JorMYp9hhih/9KRcwcvbLV
TXl7psu7OhOKc6J2re1bjQO+gbyVPZxvkYfs1CvXvIh27FWWzoNFYLL34rRdZIwo
fcfy5z7AWEehxpPRRBijllYVQambqdXu2m8PBRLn7pgy/dRPuDbn/yiKcC39+1EK
jcaiFH7P1XtXXQouy13Ta3yhHsZiVDZmNyR+YKnRYQIY9ICjFNxR+rdBbSM0f2Eu
JO1Sa9eewe7bsylIchIRoVtGuzvOlxv18Dujp6iD7pvIaLNJ9uuuabz9lX/9rm3p
WX++VxYk+k+cGOGjttnlSfiS+TYnFjLgS6fM4AAp6oBPg13ndrKJL4m7qYNoJzjd
S4JhOxn8VcgRFAo8otLzIRxWrsYYG8/xybr5/NESmC8hcr0mhYUIGyLx5qu0/QAR
ri1QT3BPs7SoqGGaJHUZtqOK/vAkDHn1SdA/VopWcpk2XmP2rd0h0Mh+jkA3Pd6C
SaL2HvwRq9a9T9rJozESHnPd8HqvDgaUdKADcYEV9xS+axZMHRPpHSppvt93GKao
ClES06wUx2zOrWyNijbF
=jlUp
-----END PGP SIGNATURE-----